Data Processing Agreement

"Controller" means the entity that determines the purposes and means of processing personal data (the MailPilot customer).

"Processor" means MailPilot, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

"Sub-processor" means any third party engaged by MailPilot to process Personal Data on behalf of the Controller.

This DPA applies to the processing of personal data by MailPilot on behalf of the Customer in connection with MailPilot's email warmup, deliverability monitoring, and DNS health services.

MailPilot processes only the categories of personal data and data subjects necessary to provide the Services as described in the documentation.

MailPilot shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization.

The Customer shall comply with all applicable data protection laws in connection with its use of the Services.

The Customer is responsible for the lawfulness of the Personal Data it submits to MailPilot for processing.

The Customer shall ensure it has all necessary consents and legal bases for processing the Personal Data it provides to MailPilot.

MailPilot shall process Personal Data only on documented instructions from the Customer.

MailPilot shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction.

MailPilot shall assist the Customer in ensuring compliance with GDPR Articles 32–36, including data subject rights, security of processing, breach notification, data protection impact assessments, and prior consultation.

MailPilot shall ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

MailPilot may engage sub-processors to assist in providing the Services. MailPilot shall impose equivalent data protection obligations on sub-processors as set out in this DPA.

Current sub-processors include: Vercel (hosting infrastructure), Supabase (database), Upstash (cache/queue), and Resend (transactional email). A complete and current list is available upon request.

MailPilot shall notify the Customer of any intended changes to sub-processor arrangements and give the Customer reasonable opportunity to object.

MailPilot shall provide reasonable assistance to the Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection laws.

MailPilot shall promptly notify the Customer if it receives a request from a data subject that relates to Personal Data processed under this DPA.

MailPilot implements and maintains technical and organizational security measures including: encryption in transit (TLS 1.2+), encryption at rest, access controls, regular security assessments, and incident response procedures.

MailPilot shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Customer's data.

Upon termination of the Services or upon the Customer's written request, MailPilot shall delete or return all Personal Data processed on behalf of the Customer within 30 days.

MailPilot shall retain certain data for the minimum period required by applicable law, after which it will be securely deleted.

MailPilot shall make available all information necessary to demonstrate compliance with the obligations set out in this DPA.

MailPilot shall allow for and contribute to audits, including inspections, conducted by the Customer or its designee, subject to reasonable notice and confidentiality obligations.

MailPilot is based in the United States. Any transfer of Personal Data from the European Economic Area to the United States is governed by the EU Standard Contractual Clauses (SCCs) as incorporated into this DPA.

Customers requiring executed SCCs should contact MailPilot at privacy@mailpilot.so.